More SVG sanitization

[cwillisf]

This hotfix branch is intended for deployment as-is, and will be merged into develop (after resolving conflicts) as a followup

Proposed Changes

Catch more cases, including:

• Hex-escaped url in attributes or <style> elements
• Multiple url(...) items in one attribute, where the first one is OK and one of the later URLs is an external reference

Also, add tests for many cases that were already handled correctly.

Reason for Changes

We're seeing some cases in the wild where hex-escaped URLs are being used to add "creative" styling to the project page.

To clarify for those who are ...lurking... 👀
We know this won't block the CSS trickery itself; it just blocks the potential leakage of personal information. That's the super-urgent part of this. Turning the page blue or replacing the Scratch logo is cute and/or annoying, and we do plan to fix that, but the privacy implications of it are limited. I just have too many meetings today to safely do both in one go 😅

Test Coverage

Included.

[github-actions]

Test report for scratch-vm

    1 files  ±0    886 suites  ±0   2m 3s ⏱️ +4s
1 916 tests ±0  1 916 ✅ ±0   0 💤 ±0  0 ❌ ±0 
5 218 runs  ±0  5 188 ✅ ±0  30 💤 ±0  0 ❌ ±0 

Results for commit 629c2bd. ± Comparison against base commit 33eda2c.

♻️ This comment has been updated with latest results.

[Copilot]

Pull request overview

Hotfix to strengthen SVG sanitization against obfuscated/external CSS url(...) references (including CSS hex escapes), and to expand fixture-based test coverage for previously handled cases.

Changes:

• Add CSS-escape decoding + css-tree AST scanning to detect external url(...) in attributes and <style> blocks.
• Extend attribute sanitization to handle multiple url(...) occurrences and more SVG URI-carrying scenarios.
• Add/adjust SVG fixture pairs to validate sanitization behavior across more cases.

Reviewed changes

Copilot reviewed 2 out of 12 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
packages/scratch-svg-renderer/src/sanitize-svg.js	Adds css-tree-based canonicalization and external url() detection for attributes and <style> elements.
packages/scratch-svg-renderer/package.json	Updates css-tree dependency to a newer major line.
package-lock.json	Locks updated dependency graph for css-tree upgrade/dedupe.
packages/scratch-svg-renderer/test/fixtures/css-escapes.svg	New fixture covering CSS hex-escaped url cases and multiple url() values.
packages/scratch-svg-renderer/test/fixtures/css-escapes.sanitized.svg	Expected sanitized output for CSS escape fixture.
packages/scratch-svg-renderer/test/fixtures/external-hrefs.svg	New fixture covering external href/xlink:href across more SVG elements.
packages/scratch-svg-renderer/test/fixtures/external-hrefs.sanitized.svg	Expected sanitized output for external href fixture.
packages/scratch-svg-renderer/test/fixtures/namespace-and-uri-attrs.svg	New fixture for namespace-prefixed href attributes and xml:base behavior.
packages/scratch-svg-renderer/test/fixtures/namespace-and-uri-attrs.sanitized.svg	Expected sanitized output for namespace/URI attribute fixture.
packages/scratch-svg-renderer/test/fixtures/blocked-elements.svg	New fixture for DOMPurify svgDisallowed elements with URI attributes.
packages/scratch-svg-renderer/test/fixtures/blocked-elements.sanitized.svg	Expected sanitized output for blocked-elements fixture.
packages/scratch-svg-renderer/test/fixtures/css-links.sanitized.svg	Updates expected <style> serialization after canonicalization/generation changes.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 2 out of 12 changed files in this pull request and generated 1 comment.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

Test report for scratch-svg-renderer

  1 files  ±0   60 suites  ±0   0s ⏱️ ±0s
129 tests +5  129 ✅ +5  0 💤 ±0  0 ❌ ±0 
281 runs  +5  280 ✅ +5  1 💤 ±0  0 ❌ ±0 

Results for commit 629c2bd. ± Comparison against base commit 33eda2c.

♻️ This comment has been updated with latest results.

[github-actions]

Test report for task-herder

28 tests  ±0   28 ✅ ±0   0s ⏱️ ±0s
 7 suites ±0    0 💤 ±0 
 1 files   ±0    0 ❌ ±0 

Results for commit 629c2bd. ± Comparison against base commit 33eda2c.

♻️ This comment has been updated with latest results.

[github-actions]

Test report for scratch-render

  1 files  ±0   55 suites  ±0   2s ⏱️ ±0s
209 tests ±0  209 ✅ ±0  0 💤 ±0  0 ❌ ±0 
279 runs  ±0  279 ✅ ±0  0 💤 ±0  0 ❌ ±0 

Results for commit 629c2bd. ± Comparison against base commit 33eda2c.

♻️ This comment has been updated with latest results.

[github-actions]

Test report for scratch-gui

  2 files  ±0   63 suites  ±0   10m 38s ⏱️ +41s
399 tests ±0  391 ✅ ±0  8 💤 ±0  0 ❌ ±0 
417 runs  ±0  409 ✅ ±0  8 💤 ±0  0 ❌ ±0 

Results for commit 629c2bd. ± Comparison against base commit 33eda2c.

♻️ This comment has been updated with latest results.

[KManolov3]

Looks good! Thanks for turning this around so quickly!

[Copilot]

Pull request overview

Copilot reviewed 2 out of 14 changed files in this pull request and generated 2 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 2 out of 14 changed files in this pull request and generated 1 comment.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

Test report for scratch-media-lib-scripts

20 tests  ±0   20 ✅ ±0   0s ⏱️ ±0s
 1 suites ±0    0 💤 ±0 
 1 files   ±0    0 ❌ ±0 

Results for commit 629c2bd. ± Comparison against base commit 33eda2c.

♻️ This comment has been updated with latest results.